Shadow Data

The Fifth Dimension of Data Security Risk

By Curt Bryson and Michael R. Anderson

Have you every wondered why some government agencies require that computer data be erased by overwriting it at least seven times? Have you ever wondered why classified government agencies destroy computer hard disk drives rather than surplus them? The reasons for these levels of paranoia are valid and they are tied to the potentials of security breaches tied to shadow data.

When computer data is written to a floppy diskette, zip disk, hard disk or tape, a mechanical device called a head is used to write the data. The data is stored electronically in magnetic patterns of binary ones and zeros. The patterns are in the form of sectors which are written consecutively in concentric rings called tracks. The process is fast and efficient. However, the process also involves the use of a mechanical device which operates with less than exact tolerance levels. Horizontal head alignment and vertical head placement is just a bit different every time data is written and rewritten to the same track. This situation limits the effectiveness of software data scrubbers and it creates the potential for government security breaches on well used storage devices. Thus, government agencies require multiple writes when data is destroyed with data scrubbers. However, even multiple writes can not guarantee complete elimination of legacy data. The fringe data that remains on the track is called shadow data. However, NTI's M-Sweep Pro Software eliminates almost all potentials for the forensic recovery of shadow data.

Shadow data contains the remnants of computer data that was written previously to a track and it is located slightly outside the track's last write path. It gets a bit more complicated though. There are actually two phenomena which cause shadow data to come about: mechanical issues and magnetic issues. To illustrate the mechanical issues, imagine a long, straight road of a consistent width. A car traveling on that road has a paint sprayer attached to its bumper, and paints a line as it goes. Mechanical shadow data manifests itself due to imperfections in the drive's servo mechanism which causes the write arm, which holds the write head over the drive's surface, to wobble horizontally to the left and right to a certain extent. This would be analogous to our vehicle weaving back and forth on the road as the paint sprayer continues doing its job. The resulting painted line would not be in a straight line, but rather in an elongated "s" pattern. Each pass of the write head varies slightly creating new elongated "s" patterns within the bounds of the storage space assigned to the track.

The source of magnetic shadow data is analogous to the paint sprayer's nozzle being moved up and down vertically as the line is painted. If it is high, the paint spray pattern will be wide. If it is low, the paint pattern will be narrow and the painted line will be thin. With this analogy the paint over spray would be shadow data which would not be completely covered if a new line were to be painted on the road. This splatter effect is actually caused by variances in signal strength as the head moves up and down vertically as the data is written to the track.

Finally, vertical shadow data may also exist in the material used to store the magnetic imprint. On some storage devices the material consists of iron oxide layers which have been sprayed on the platter of a hard disk drive or on plastic Mylar sheets used in the manufacture of floppy diskettes. In staying with the spray paint analogy, imagine that our road in the previous examples is porous. When the paint is sprayed onto the road, some of it may seep downward into the pours asphalt that makes up the surface of the road. Later, when another line of a different color is painted onto the road, the horizontal imperfections will also be manifested as differences in depth and the new paint will also seep into the porous layers of asphalt. If we were to slice off layers of the asphalt, the original painted line, in some places, will be overlapped with the new color. But remnants of the original paint will also exist. When this analogy is compared to writes made to a hard disk drive, the layering occurs due to physical flaws in the storage media and variances in the ability of the platters coating to hold a magnetic charge.

Since the write heads path will always vary slightly, within allowable tolerances, it is theoretically impossible to guarantee the secure wipe of a floppy diskette, hard disk drive or tape using a software solution. However, multiple overwrites can increase the effectiveness of a security scrub. But strictly speaking, some data may still remain behind after a data scrub for discovery. You should be aware, however, that the recovery of shadow data is no easy task. Specialized and very expensive equipment is required to reliably recover shadow data. The costs of the necessary equipment and the expert staff required to perform the data extraction process, puts the process beyond the reach of most private sector corporations. From a computer forensics standpoint, shadow data has yet to become a source of reliable computer evidence. This is, in part, because of the costs involved. Another factor pertains to the potentials of data bleed from one layer of shadow data to an other. This problem taints the computer evidence and makes it difficult to differentiate one level of legacy data from another.

If you have an interest in researching and experimenting with shadow data, basic tools are available for free download over the Internet. However, we must stress that the reliability of these methods and techniques does not produce evidence grade results from a computer forensics standpoint. Software solutions provide limited success because they rely upon the same mechanical flaws discussed above. But, such software solutions in the wrong hands could still create a security risk. We should also point out that the use of basic data recovery tools and techniques do not compare with the tools and techniques used by US government agencies in the identification and extraction of shadow data. They are the true experts in this area.

As an additional note, older encoding methods, e.g., MFM and RLL, make the recovery of shadow data a bit less difficulty. Newer hard disk drive technologies, however, make recovery of shadow data a bit less fruitful, because the drive densities require higher frequencies to write data to narrower tracks. This limits access to the shadow data, because the signal strength and write frequencies are not as strong as with older technologies. Furthermore, some of the "splatter" effect is reduced with the newer hard disk drive technologies because of tighter manufacturing tolerances Finally, higher hard disk drive RPM's make the mechanical "wobble" much less pronounced than with older technologies. This does not eliminate the threat shadow data poses; enough shadow data still exists to provide some insight into the data on a given hard drive. Today's hard disk drive technology does, however, limit the potentials of security risks tied to shadow data somewhat.

Floppy diskettes pose a higher level of threat, as it relates to shadow data, than computer hard disk drives. Since floppy diskettes are encoded using older encoding formats, they are more "porous" (less dense), and floppy disk heads write much less efficiently than hard disk write heads. If you want to experiment with shadow data, floppy diskettes might be a good place to start.

Modern computer forensic search tools used in computer related investigations and in computer security risk reviews will not find search terms which may exist in the form of shadow data. This is because the controllers on the drive either incapable or not set to find shadow data. This should bring a certain level of comfort to most private sector computer users. However you should still be aware that the risk exists and that someone may be willing to pay the price to "steal" corporate and government secrets stored in the form of shadow data.

How to protect against shadow data security risks.

Probably the first, most effective, step in reducing your vulnerability to shadow data leakage is knowledge that is exists. Knowing that shadow data potentially exists will ensure that you at least weigh the risks and make informed decisions concerning the scrubbing of data, degaussing storage devices and in managing the risks.

U. S. government classified data handling instructions call for a certain specifications concerning the disposal of computer storage devices. Data scrubbing through the use of multiple overwrites is on potential solution. While this procedure is not 100% fool-proof; it does significantly reduce the likelihood of shadow data becoming a threat in your organization. Using old RLL-encoded drives, Peter Gutman of the University of Auckland speculated, in his document "Secure Deletion of Data from Magnetic and Solid- State Memory", that overwriting a drive 35 times with varying hexadecimal values may force the write head to vary magnetic effect on the iron oxide particles to such an extent as to remove the shadow data. Still, there is no guarantee that software solutions will effectively wipe out all this information because the process relies on the drive's controller, which is not suited for this purpose.

High-intensity degaussing of a hard drive platter, floppy diskette, zip disks and tape is probably the best way to ensure the elimination of threats associated with shadow data. This is an effective process to use when storage devices are being retired from service. Be mindful that the degaussing of a hard disk drive must be performed after the platters have been removed. Otherwise, the hard disk drive will act as a protective shield and some shadow data may survive. The complete incineration of floppy diskettes, zip disks and tapes also can be used to remove any security threats associated with shadow data.

Corporate and government policies concerning the disposal of computer storage media should always take into account the potentials of shadow data as a potential data security risk. With knowledge and proper controls in place, shadow data should not become a security problem for most government agencies and corporations.